Our applications run on myriad systems with myriad server software.
Operating Systems include various flavors of Linux, BSD, Windows.
Server Software includes versions and flavors of Apache, IIS, Resin,
Tomcat, Postgres, MySQL, MSSQL, Qmail, Sendmail, Proftpd etc etc.
We ensure security despite the diverse portfolio of software
products we utilize by following a process-oriented approach
Timely Application of Updates, Bug Fixes and Security Patches -
servers are registered for automatic updates to ensure that they always
have the latest security patch installed and that any new
vulnerabilities are rectified as soon as possible. The largest number
of intrusions result from exploitation of known vulnerabilities,
configuration errors, or virus attacks where countermeasures ARE
already available. According to CERT, systems and networks are impacted
by these events as they have "not consistently" deployed the patches
that were released.
We fully understand the requirement for strong patch and update
management processes. As operating systems and server software get more
complex, each newer release is littered with security holes.
Information and updates for new security threats are released on an
almost daily basis. We have built consistent, repeatable processes and
a reliable auditing and reporting framework which ensures that all our
systems are always up-to-date.
Periodic Security Scans -
Frequent checks are run
using enterprise grade security software to determine if any servers
have any known vulnerabilities. The servers are scanned against the
most comprehensive and up-to-date databases of known vulnerabilities.
This enables us to proactively protect our servers from attacks and
ensure business continuity by identifying security holes or
vulnerabilities before an attack occurs.
Pre-Upgrade testing processes -
Software upgrades are
released frequently by various software vendors. while each vendor
follows their own testing procedures prior to release of any upgrade,
they cannot test inter-operability issues between various software. For
instance a new release of a database may be tested by the Database
vendor. However the impact of deploying this release on a production
system running various other FTP, Mail, Web Server software cannot be
directly determined. Our system administration team documents the
impact analysis of various software upgrades and if any of them are
perceived to have a high-risk, they are first beta-tested in our labs
before live deployment.